[whatwg] postMessage: event.source allows navigation of sender
Hallvord R M Steen
hallvors at gmail.com
Thu Feb 7 01:24:00 PST 2008
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.
This seems to violate the API's promise of safe cross-domain
communication even with untrusted documents. One can imagine use cases
where a script in document A has a reference to window B and thus can
post messages, but window B does not have any to A and would not under
normal circumstances be able to change A's address.
I think this should be adressed by removing event.source entirely. It
would be weird to disallow setting location on a window object in this
context only. To allow posting replies we could instead define a
function on the event object. Say for example
document.addEventListener( 'message', function(e){
if(e.data=='Hi'){
e.reply('Hello');
}
}, false )
--
Hallvord R. M. Steen
More information about the whatwg
mailing list